Re: [Libguestfs] SELinux relabel API
On Saturday 24 May 2014 16:25:14 Richard W.M. Jones wrote:
What would be nice would be to have an API to just do this
relabelling. Libguestfs could change this API as required to handle
different guests.
Dan Walsh helpfully pointed out to us that we've been doing it wrong
all along :-) A much better way to relabel is to run:
setfiles /etc/selinux/targeted/contexts/files/file_contexts DIR
where 'file_contexts' is a file which contains the default labels for
files (a set of regexps), and 'DIR' is the directory at which
relabelling starts. Note that 'setfiles' would be the libguestfs
appliance binary, so no guest binary needs to be run.
A simple API could just look like this:
guestfs_selinux_relabel (g);
which would always use the 'targeted' policy from the guest, and
always start relabelling at the root. This would work fine for
virt-builder.
For Colin's requirements for Project Atomic, I suspect he will want to
be able to set the file_contexts file and the root directory, but
I'll leave him to describe what would be useful.
I have been experiment/working on this last week (fighting against two
SELinux, the one to make happy in the guest, and the active-but-not-
enforcing one eventually present in the appliance), and now I have
something working.
As you said, there are various possibilities in configuring such
selinux_relabel API; in my first implementation I chose to have it take
as mandatory argument the root of the guest to relabel, and it is able
to discover the configured policy there. Of course I am open to
suggestions/complains/etc about it.
--
Pino Toscano